Well, I read up on Tor…

I learned some new things about Tor today that I found alarming, perturbing enough to keep me from touching it again and sketchy enough to make me want to try to offer you some of that information, those of you who know what Tor is, in case you hadn’t come across it yourself. Before you use Tor, or before you continue to rely on the IP-anonymizing system as I’ve seen an increasing number of our visitors do under the presumption that you’re safe from the spooks, you may want to consider the following as it may sway you in another direction or at least make you want to learn the dos and don’ts of using Tor before continuing.

Communicating using either anonymity-providing mechanisms such as Tor or encryption tools such as PGP not only draws suspicion to you, it is presently considered grounds by the US Foreign Intelligence Surveillance Court for the NSA to gather and retain the data without a warrant.

The Tor Project, started by the US Navy for the purpose of “DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets)… not helping dissidents in repressive countries,” receives in the neighborhood 80% of its funding from the US Government (DoD and State chiefly) and a significant portion of the remainder from governments of other nations including the Swedish International Development Cooperative Agency, also Google.

Easily-googled howtos illustrate with a short list of steps how simple it is for anyone of laymen skill level with the same equipment you’re looking at right now — voyeurs, hackers and government agencies — to sniff your Tor-routed data and to inject code into your inbound traffic to reveal your IP address or obtain it by other basic means including sniffed email headers. Activities involving this collected data range from identity theft to dragnet prosecution.

It has been observed and speculated that over 50% of Tor exit nodes are operating under such configurations, and, in stands to obvious inference that most, at least a pretty substantial portion, of such nodes are operating for the purpose of collecting and analyzing your data for subsequent purposes you really, really don’t want, and a subset of those node operators are attempting to compromise your machine.

The Tor network, which the FBI regards in their statements to the media as “the largest facilitator of child porn on the planet,” is disproportionately and densely comprised of illegal activity and the reputation of its use is commonly associated with the likes of heinously deviant pornography, money laundering, gun and drug running and illegal leakage of privileged information. Participants in the Tor network (users, onion site operators and node operators alike) have learned the hard way that Tor does not guarantee your privacy or insulate your computer from vulnerabilities of its other software, nor may it protect you from guilt by association (we generally block all Tor exit nodes as a means to fend off spam hacking attempts, a common practice, though I’ve disabled that for this article).

Tor, while improved and patched over time, is likewise a popular, constant target of persistent researchers and academics, as well as black hat hackers, who frequently discover and publish new ways to defeat the anonymity, including geographical locations, browser fingerprints and IP addresses, of its users. Between periods of vulnerability publication and patching and eventual user software upgrading, reconfiguration or practice modification (EG disabling javascript), and at a given point such gaps may exist for a slew of vulnerabilities affecting some or all of its users, its users may become vulnerable or exposed en masse.

Greatly contributing both to general vulnerability and to user false sense of security, as Tor users rely heavily on popular software such as Microsoft Windows and Mozilla Firefox, also interactions with domain name servers, the robustness of Tor’s users’ anonymity is therefore reliant on the integrity of this other software and the modification and their cohesion with one another as they are upgraded. This is largely outside of the control of the Tor maintainers (again, most of the Tor Project’s funding is from the US government), who may only be able to issue advisories to users and requests to Mozilla that go largely unheeded, including recent instructions following a major incident to its users to either to uninstall Windows in favor of another platform or to use an arcane live Linux CD and not to use Javascript in order to mitigate their compromised degree anonymity, further warning that Tor users should presume such major incidents will recur. Kudos for the transparency, Tor Project.

Listen, I am by no means a security expert (hence my offering you two dozen links to people who may know better), but I do know that I learned enough about the pitfalls of Tor and pursuits of digital anonymity to scare myself away from touching any of it in the future, in part because I am by no means an expert. I’m itching to see if I can configure my server to sniff Tor traffic out of curiosity right now, but routing traffic in both directions that is likely both densely illegal and being surveilled by others just seems too self-destructive. Also, because I admittedly don’t know what I’m doing, I might jeopardize the other functions and users of the server my ISP. Given the inherent nature of Tor traffic, I can’t understand why anyone of any skill level would go ahead and light up a Tor exit node. It takes a lot of free speech passion or a lack of understanding of what you’re computer starts doing when it acts in that capacity I suppose.

Maybe you are an expert however. Maybe you want Tor because your life depends on flying under the radar rather than wanting to install Tor just because you read some Snowden leak and want to stick it to the man. Maybe you work for Wikileaks or the NSA. But the takeaway of what I just learned is that the weakest link in the preservation of your privacy when using these sorts of techniques may not be the tools themselves but how you use them – PEBCAK. I’m inclined to bank on a reasonable ration of privacy by just blending in and crossing my fingers, but if the likes of Tor interests you still, I’ll leave you with this link, i2p2.de/how_networkcomparisons, and a wish of good luck. Now, as for me, I’ll go bootleg myself a copy of Enemy of the State…. without using Tor.

Doug Simmons

Update: This is neither here nor there, but I mentioned Tor’s funding and my intending to watch Enemy of the State — Gene Hackman’s fictional ex-NSA/CIA character who spends his days in a Faraday cage attended Drexel University in Philadelphia. Turns out in real life Drexel (known for not having that much money to blow around) is among the top of the list of Tor’s benefactors, and a little googling shows the NSA has a pretty friendly relationship with Drexel. Just throwing that out there, not implying that any of that is related or has any meaning whatsoever. But if you want to get recruited to work for the NSA and score some free Tor stickers for your laptop in the same location, but don’t have the grades and money to get into MIT, maybe aim for Drexel.

Wow great write-up thank you for the info. Been wanting to do some research on Tor for a while but didn’t know where to begin. Looks like I’ve found a good starting point :) Always wondered why the navy gave this program up. Either they were compromised themselves a few times, realized it’s not as secure as they though so they moved on to the next program or they figured since they know how to compromise Tor they’d release it to the public, give a false sense of security and go in there after anyone they want (or all of the above). Either way I’ve never trusted it, VPN all the way.

I watched that movie again last week, after all this PRISM in the news I had the urge, great movie still.

JRDemaskus, Jay: Thanks fellas. This was pretty tl;dr, didn’t think anyone would make it through it, and glad to hear it might be helpful to at least one or two people.

Jay: I watched Seven again recently in which there’s a scene where Morgan Freeman uses his FBI buddy to print out a list of everyone who checked out Dante’s Inferno-like books from public libraries in order to find the killer, to Brad Pitt’s objection about privacy — a movie from 1994, fiction, yet something completely congruent to what’s going down now. Regarding the origins of Tor, here’s an email thread that may offer some clues: http://cryptome.org/0003/tor-spy.htm

Just in case that wasn’t long enough for you, if you want more paragraphs, one thing I should have mentioned for those who stick to Tor, here’s the most common way (?) people get screwed: Because /many/ services do not use encryption for user logins, which would be completely visible to a Tor exit node (your credentials), and because many people lack password discipline with respect to always using a different password on every service, if you sign onto your Gmail or Netflix or iTunes or whatever over Tor, you’d be somewhat safe, but were you in the same session to pop up another tab and sign into something like your XDA or Slashdot account or your own WordPress blog, the Tor exit node sniffer after snatching the unencrypted login may attempt to sign into your encrypted login-using services using the password you used for non-encrypted services. This work is automated with simple scripts, not a huge effort requiring major resources and time. Only recently did Facebook start enforcing login encryption.

So, to mitigate that, never ever use the same passwords for more than one service. Tor does not provide end-to-end encryption, and many passwords and bundles of email fly over the Internet without any encryption. Though it’s possible to be fairly on-guard against most of them, there are so many additional ways things can go wrong if you’re on Tor, and you clump yourself in with a crowd that, because they want privacy, is an attractive target, and under elevated indiscriminate access to anyone. Hell you could probably run a Tor exit node with this packet sniffing and html injection stuff right on your damn cell phone and start raking in passwords and whatever else you want.

And Tor is so closely associated with pedophilia, what pops into someone’s head when they think of Tor. One of the longest and most passionate dead horse-beating Wikipedia editor argument threads I’ve read is about whether or not they should include to the so-called Hidden Wiki, some arguing that it’s just too over-the-top in terms of its saturation of child pornography to outweigh it’s “encyclopedic value” to the article on Tor, an amusing read: http://en.wikipedia.org/wiki/Talk:Tor_(anonymity_network)#I_am_removing_the_links_to_the_hidden_wiki_for_now

Now, while you may not be hunting for porn or doing anything remotely sketchy, because of this close association the public has, there isn’t any stigma to deter people (rather, there is a strong incentive) to hack Tor and brag about it. This sort of thing happens all the time. Hell, even the likes of Anonymous teams up to hack Tor to make the news. Not to mention intelligence agencies, I’d call it likely that they’re hacking Tor as well, prolifically, and not sharing their findings with Tor, meanwhile, given that they were founded by the military and continue to be funded almost entirely by the government, and given various Snowden revelations, it’s not that big a leap to suspect collusion between the Tor Project and the NSA in manners Tor users would find quite flagrant, how Microsoft was accused of handing zero-day Windows vulnerabilities to the government well in advance of disclosing them to the public. If you were a hacker, a voyeur or in law enforcement or intelligence, wouldn’t you focus your attention on Tor traffic and Tor vulnerabilities?

The Tor community is dying for the likes of Mozilla to include Tor in the official Firefox so that data flying around Tor circuits is less saturated with child porn. But I doubt it will happen because, on top of any government pressure Mozilla might receive, you get guys like this: https://bugzilla.mozilla.org/show_bug.cgi?id=901614#c9
“While Tor is a commendable privacy extension please make sure it ships as default off and preferably can be removed completely easily. In the eyes of one too many law enforcement agencies it’s related fairly closely with child pornography. I have no desire to have such a thing on my computer.” That’s Tor’s reputation not because of a programming failure but because people who do illegal things tend to want anonymity whether its by means of Tor or wearing a ski mask. While I may be cold in the winter and want to go into a bank one day, as a result of that association, I’d probably not want to have a ski mask on me, obviously.

To get an idea of how frequently Tor gets hacked publicly, google something like “site:blog.torproject.org immediately”
which will revieal things like https://blog.torproject.org/blog/tor-02234-released-security-patches, the first comment on the thread for which is “Attention security researchers, this is how you attack Tor successfully. Read and take notes.” So you need to keep your eye on not only Tor vulnerabilities, but Firefox, Windows, Debian Linux, OpenSSL, TLS, random number generators and on and on if you intend to use Tor both regularly and effectively. And you’re also banking on the IT guys behind the services you use to do the same but on much larger scales while heavily targeted by hackers and national security letters alike.

It is a simple trick for a Tor exit node to pass you what looks like the website you’re trying to access, except with a bit of hidden malicious code to completely compromise your computer for God knows what purpose, and then it’s open season for the spooks and bad guys on your machine — on top of the threat you already have of visiting websites which have been compromised to spit out dirty code. So be extra vigilant. Meaning, instead of just relying on your antivirus program, use netstat to see if your computer is phoning home to China or Virginia.

Or use a live CD, specifically Tails as the Tor Project advises, or perhaps use Whonix, if this is truly important to you. After reading this stuff myself, I really feel that I am not good enough with computers to use Tor regularly in a manner that does not expose me to greater danger than using nothing. And I’m not that bad with computers.

[…] code in it, and some slips through to the shipped product. And then there’s Tor, funded almost exclusively by the US government, started by the US military, and many in the world have a strong interest (and […]